MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 965dffc8c73d88f296086b5c6324b2be6ef9cd5041d6d7822370f2a04dc1538b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 965dffc8c73d88f296086b5c6324b2be6ef9cd5041d6d7822370f2a04dc1538b
SHA3-384 hash: 4cc955cc59da1049cfabbb9824850b851952a11e82f9c984fe3b53df4fb6d771bbe6e5d20582558c7346aa1b7cf08259
SHA1 hash: 3c7f3b016a684ca9c61c0ef43cf229d9e48de305
MD5 hash: 2c087bb64cb5b12444c5ad9e20f46822
humanhash: london-twelve-six-golf
File name:2c087bb64cb5b12444c5ad9e20f46822
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:295'424 bytes
First seen:2022-06-17 07:03:49 UTC
Last seen:2022-06-17 13:18:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0eb941e68d2317655292fa7b7b38e90a (1 x ArkeiStealer)
ssdeep 6144:A/4tkvSYPjK6YQ4KNsMlo8PDkp44WJlQR:A/4tkaYGKNsM9z4GQ
TLSH T1CD545B63F4C0C1B1E4654932F8699ABD8F2BBE354B50D65B23CC7E363BF11A16121AD2
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon fe3cfcdcbe9ec4e4 (1 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
boomclnr.exe
Verdict:
Malicious activity
Analysis date:
2022-06-18 05:34:39 UTC
Tags:
evasion loader arkei trojan stealer vidar
Link:
https://app.any.run/tasks/4df37834-199c-43eb-927e-bce472c52b34

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280855/
Detection(s):
SecuriteInfo.com.Variant.Doina.16839.12522.3829.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Searching for the browser window
DNS request
Sending a custom TCP request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21683/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/62ac277eb7a5f5720e27731f/reports/7cd64a8e-068f-4ed5-8ccf-748fa7a407a5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0698c4dc-fdab-45eb-a425-b4cb56bce829
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1014939
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 647435 Sample: LD4Rkw0htp Startdate: 17/06/2022 Architecture: WINDOWS Score: 100 43 www.altairsoftware.shop 2->43 45 www.altairsoftware.net 2->45 47 websitedemos.net 2->47 57 Snort IDS alert for network traffic 2->57 59 Antivirus detection for URL or domain 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 2 other signatures 2->63 9 LD4Rkw0htp.exe 1 16 2->9         started        signatures3 process4 dnsIp5 55 46.23.109.174, 49711, 49726, 49727 AZERONLINEAZ Azerbaijan 9->55 35 C:\Users\user\AppData\Local\Temp\u4sc.0.exe, PE32 9->35 dropped 37 C:\Users\user\AppData\Local\Temp\u4sc.1.exe, PE32 9->37 dropped 13 u4sc.0.exe 75 9->13         started        16 chrome.exe 15 294 9->16         started        file6 process7 dnsIp8 65 Multi AV Scanner detection for dropped file 13->65 67 Detected unpacking (changes PE section rights) 13->67 69 Detected unpacking (creates a PE file in dynamic memory) 13->69 71 7 other signatures 13->71 20 cmd.exe 1 13->20         started        39 192.168.2.1 unknown unknown 16->39 41 239.255.255.250 unknown Reserved 16->41 29 C:\...\pnacl_public_x86_64_pnacl_sz_nexe, ELF 16->29 dropped 31 C:\...\pnacl_public_x86_64_pnacl_llc_nexe, ELF 16->31 dropped 33 C:\Users\user\...\pnacl_public_x86_64_ld_nexe, ELF 16->33 dropped 22 chrome.exe 43 16->22         started        file9 signatures10 process11 dnsIp12 25 conhost.exe 20->25         started        27 timeout.exe 1 20->27         started        49 yip.su 148.251.234.93, 443, 49738, 49739 HETZNER-ASDE Germany 22->49 51 clients.l.google.com 142.250.203.110, 443, 49737, 53820 GOOGLEUS United States 22->51 53 8 other IPs or domains 22->53 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/965dffc8c73d88f296086b5c6324b2be6ef9cd5041d6d7822370f2a04dc1538b/
Threat name:
Win32.Trojan.Havex
Create hunting rule
Status:
Malicious
First seen:
2022-06-17 00:28:00 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=szo77sghhwepffqinnoggjfsxzxpttkqihlnpardodzkatobkofq._file
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:default discovery persistence spyware stealer suricata
Link:
https://tria.ge/reports/220617-hvxkbaahan/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Arkei
suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
Unpacked files
SH256 hash:
965dffc8c73d88f296086b5c6324b2be6ef9cd5041d6d7822370f2a04dc1538b
MD5 hash:
2c087bb64cb5b12444c5ad9e20f46822
SHA1 hash:
3c7f3b016a684ca9c61c0ef43cf229d9e48de305
Link:
https://www.unpac.me/results/d26b2cdb-0c2b-4de9-9d81-76853a2ca7f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/965dffc8c73d88f296086b5c6324b2be6ef9cd5041d6d7822370f2a04dc1538b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 965dffc8c73d88f296086b5c6324b2be6ef9cd5041d6d7822370f2a04dc1538b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2241507/
Cape
Cape
https://www.capesandbox.com/analysis/280855/

Comments


Avatar
zbet commented on 2022-06-17 07:04:07 UTC

url : hxxp://46.23.109.174/boomclnr.exe